Enabling an HTTPS listener (Lobster Integration and Admin Console)
The following XML fragment adds an HTTPS listener (HTTPS connector) to the configuration file ./etc/hub.xml (Lobster Integration) or ./etc/admin.xml (Admin Console). The listener accepts incoming SSL-secured requests. Note the different refid values for Lobster Integration and the Admin Console.
Version | ./etc/hub.xml | ./etc/admin.xml |
|---|---|---|
Before 4.6.9 and as of LDP | Communication and GUI | Admin console only |
4.6.9 through the end of the 4.6.x branch (new installations only, not updates) | Communication only (e.g., HTTP, AS2) | Admin console and GUI |
Bind a TLS-capable certificate to Lobster Integration. When creating a self-signed certificate in the Create new certificate dialog, enable the following checkboxes:
Signing
Encryption
TLS Server
Signing/Encryption must be supported
For guidance on creating and managing a certificate for HTTPS web servers. See also: Certificates.
Recommended reference method: In the <Set name="serverCertSubjectName"> parameter, use the notation ksnote:mycertificate. mycertificate is the value you entered in the Note field of your certificate.
Use this method instead of specifying the certificate ID or the Common Name (CN). The certificate ID changes when your certificate expires. Common names are not always unique.
This avoids name conflicts and unnecessary changes to the configuration file. Always use unique values in the Note field.
NOTE
If the specified certificate is not found, the first suitable certificate found is used automatically. An HTTP listener and an HTTPS listener can run in parallel.
IMPORTANT
Changes to XML configuration files are only read when the Integration Server restarts. A restart is required after every change.
<!-- SSL support by authentication service, preferred method -->
<!-- =========================================================== -->
<!-- Add a HTTPS Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with connection -->
<!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. -->
<!-- All accepted TLS connections are wired to a HTTP connection.-->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector, -->
<!-- o.e.j.server.SslConnectionFactory and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call id="httpsConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<!-- Use "MainServer" for Lobster Integration and "AdminServer" for Admin Console -->
<Ref refid="MainServer" />
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<New class="com.ebd.hub.server.http.jetty.AuthServiceSSLContextFactory">
<!-- <Set name="serverCertSubjectName">*CN=YourCertificateCommonName*</Set> -->
<!-- <Set name="serverCertSubjectName">certid:1574423144929056</Set> -->
<Set name="serverCertSubjectName">ksnote:mycertificate</Set>
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
</Array>
</Arg>
</Call>
<Call name="addExcludeProtocols">
<Arg>
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Arg>
</Call>
<Set name="renegotiationAllowed">FALSE</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_DHE_RSA.*</Item>
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
</New>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="sslHttpConfig" />
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="port">443</Set>
<Set name="idleTimeout">180000</Set>
</New>
</Arg>
</Call>Enforcing HTTPS for the Admin Console
To enforce HTTPS login for the "Admin console", edit the following two entries.
Configuration file ./etc/startup.xml
<!-- admin console: use SSL & port -->
<Call name="setAdminUrlParams"><Arg type="boolean">true</Arg><Arg type="int">443</Arg></Call>Configuration file ./etc/webdefault.xml
<!-- redirect to https -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Enabling an HTTPS listener (DMZ server)
To enable Inbound forwarding of HTTP/FTP/SSH/OFTP, follow the same steps in the ./etc/hub.xml configuration file on the DMZ server as described above. The certificate used is also a certificate from the inner system (Lobster Integration).
Let's Encrypt (automatic certificate handling)
See the section "Let’s Encrypt/ACME/Certbot" in Certificates to obtain and renew certificates from a Certificate Authority automatically and free of charge.